 |
| Authorized access only using OpenID Connect |
Overview
For the GitHub Traffic Analytics app, the statistics are fetched automatically and stored in Db2. Users access the data via a Python app based on the Flask microframework. Visualization is based on Cognos Dashboard Embedded. User management (authentication and authorization) is realized through the following combination:
 |
| Architecture diagram |
- IBM Cloud App ID provides the authentication service. It provides a wrap around identity providers, ranging from social logins (Facebook, Goggle) over Cloud Directory to SAML-based enterprise user directories.
- The module Flask-pyoidc is an OpenID Connect (OIDC) client for Python and the Flask framework. It interacts with App ID for the authentication.
- User roles and provileges are stored in Db2 Warehouse on Cloud along the statistics. The user information provided in the authentication token determines the accessible data sets and related privileges.
Configure OpenID Connect client
Assuming the Python app is deployed on Cloud Foundry, the credentials for the App ID service can be obtained the following way:if 'VCAP_SERVICES' in os.environ: vcapEnv=json.loads(os.environ['VCAP_SERVICES']) # Obtain configuration for appIDInfo = vcapEnv['AppID'][0]['credentials']
The metadata in "appIDInfo" serves as input for the configuration of the OIDC client:
# Configure access to App ID service for the OpenID Connect client
provider_config={
"issuer": "appid-oauth.ng.bluemix.net",
"authorization_endpoint": appIDInfo['oauthServerUrl']+"/authorization",
"token_endpoint": appIDInfo['oauthServerUrl']+"/token",
"userinfo_endpoint": appIDInfo['profilesUrl']+"/api/v1/attributes",
"jwks_uri": appIDInfo['oauthServerUrl']+"/publickeys"
}
client_info={
"client_id": appIDInfo['clientId'],
"client_secret": appIDInfo['secret']
}
With the configuration in place the OIDC client is initialized:
# Initialize OpenID Connect client auth = OIDCAuthentication(app, provider_configuration_info=provider_config,
client_registration_info=client_info,userinfo_endpoint_method=None)
The above code snippets are part of the file backend/ghstats.py in the GitHub repository "github-traffic-stats" as part of the tutorial.
Protect web routes
After the configuration, the OpenID Client can be used to protect individual pages or sections ("routes") of the web app. This is done by attaching an additional decorator to the route definition:# Show a user profile
@app.route('/user/profile')
@auth.oidc_auth
def profile():
return render_template('profile.html',
id=flask.session['id_token'], role=flask.session['userrole'])
The code "@auth.oidc_auth" is the decorator. It makes sure that the code is only executed for authenticated users. In the code snippet above you see that information from an "id_token" and a "userrole" are passed for processing. I will discuss the role-based privileges and the user managed realized with Db2 in a follow-up blog post.
Conclusions
Using IBM Cloud App ID together with an OpenID Connect client, it is fairly simple to protect routes (web pages) in a Python Flask app. The two combined allow to use social identity providers such as Facebook and Google, the Cloud Directory provided by App ID, or even enterprise user directories based on the SAML protocol.For details read the full tutorial and deploy the code provided in this GitHub repository.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.